Hi Yufei, Do you think it's okay to _automatically_ add the new role to all Principals that get the "catalog admin" role?
I'm sure it can work fine in some specific deployments, but I have doubts about doing this automatically across all deployments. >From my perspective, this seems like an overreach because each catalog_admin role is local to its catalog, but the new role is global to the realm and gives access to principal roles that are scoped under the realm. Automatically exposing realm data to catalog-specific admins seems to contradict the principle of separating catalog roles from principal roles. WDYT? As far as I can tell, Michael opened the related issue as a convenience improvement. Perhaps we could find another solution that solves the convenience problem without wide automatic grants. Thanks, Dmitri. On Tue, Mar 24, 2026 at 8:32 PM Yufei Gu <[email protected]> wrote: > Thanks for working on this. I did one pass. Left some comments. One > important thing missing in the PR is how it supports the existing realm. > The new role (`catalog_role_manager`) is created only during bootstrap, and > re-bootstrap is rejected for existing realms. The runtime silently skips > the feature when the role is missing, so upgraded deployments will never > get it. We need a migration path that creates the role on startup if > absent, without requiring a full realm purge. > > Yufei > > > On Mon, Mar 23, 2026 at 10:19 AM Dmitri Bourlatchkov <[email protected]> > wrote: > > > Linking old dev thread for reference: > > https://lists.apache.org/thread/ws0blghsv8jl9rbwpgfgcbzjs7d38242 > > > > On 2026/03/23 17:17:51 Dmitri Bourlatchkov wrote: > > > Hi All, > > > > > > Vignesh opened PR [3852] on Feb 20. > > > > > > This PR affects Polaris' internal RBAC. > > > > > > I personally do not have enough context in the internal RBAC use case > to > > be > > > able to reason about possible adverse effects. > > > > > > Michael, Dennis: Please review this PR, if possible. > > > > > > From my side, I do not see any reason against merging this PR. > > > > > > I propose giving it a few more days in review and then merging. > > > > > > [3852] https://github.com/apache/polaris/pull/3852 > > > > > > Thanks, > > > Dmitri. > > > > > >
